Hi, I've recently installed fail2ban in CentOS 8 and while it's logging
IPs that should be banned, they are not actually being banned in
firewalld as far as i can tell.
Note that there should be a number of IPs banned according to fail2ban:
[root@angels ~]# fail2ban-client get sshd banip
49.73.235.149 104.248.114.67 51.254.123.127 111.230.73.133 51.91.159.46
218.92.0.215 217.182.71.54 51.83.73.109 218.92.0.219 157.230.153.75
165.22.215.192 36.91.40.132 125.212.203.113 222.186.175.23 221.148.45.168
...but I can't find anything actually banned in either firewalld or
iptables:
[root@angels ~]# firewall-cmd --direct --get-all-chains
[root@angels ~]# firewall-cmd --get-ipsets
[root@angels ~]# firewall-cmd --direct --get-all-rules
[root@angels ~]# iptables
iptables iptables-apply iptables-restore
iptables-restore-translate iptables-save
iptables-translate
[root@angels ~]# iptables-save
# Generated by iptables-save v1.8.4 on Sat Jun 27 09:48:26 2020
*filter
:INPUT ACCEPT [485284:52507614]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558511:91234700]
COMMIT
# Completed on Sat Jun 27 09:48:26 2020
# Generated by iptables-save v1.8.4 on Sat Jun 27 09:48:26 2020
*security
:INPUT ACCEPT [311672:36098780]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558511:91234700]
COMMIT
# Completed on Sat Jun 27 09:48:26 2020
# Generated by iptables-save v1.8.4 on Sat Jun 27 09:48:26 2020
*raw
:PREROUTING ACCEPT [485288:52508138]
:OUTPUT ACCEPT [558511:91234700]
COMMIT
# Completed on Sat Jun 27 09:48:26 2020
# Generated by iptables-save v1.8.4 on Sat Jun 27 09:48:26 2020
*mangle
:PREROUTING ACCEPT [485288:52508138]
:INPUT ACCEPT [485284:52507614]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [558511:91234700]
:POSTROUTING ACCEPT [558514:91234856]
COMMIT
# Completed on Sat Jun 27 09:48:26 2020
# Generated by iptables-save v1.8.4 on Sat Jun 27 09:48:26 2020
*nat
:PREROUTING ACCEPT [188329:10154473]
:INPUT ACCEPT [37464:2302959]
:POSTROUTING ACCEPT [3743:274930]
:OUTPUT ACCEPT [3743:274930]
COMMIT
# Completed on Sat Jun 27 09:48:26 2020
Here's my jail.local:
[root@angels ~]# cat /etc/fail2ban/jail.local
[default]
bantime = 1h
banaction = iptables-multiport
banaction_allports = iptables-allports
[sshd]
enabled = true
bantime = 1h
...and here's the full config:
[root@angels ~]# fail2ban-server --dp
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbmaxmatches', 10]
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'systemd']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'prefregex',
'^<F-MLFID>\\s*(?:\\S+\\s+)?(?:sshd(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[
*\\d+\\.\\d+\\]:?\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM:
)?)?<F-CONTENT>.+</F-CONTENT>$']
['set', 'sshd', 'maxlines', 1]
[ 'multi-set',
'sshd',
'addfailregex',
[ '^[aA]uthentication (?:failure|error|failed) for
<F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on
\\S+|\\[preauth\\])){0,3}\\s*$',
'^User not known to the underlying authentication module for
<F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on
\\S+|\\[preauth\\])){0,3}\\s*$',
'^Failed publickey for invalid user
<F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?:
(?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from
).)*)$)',
'^Failed \\b(?!publickey)\\S+ for (?P<cond_inv>invalid user
)?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from
).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?:
ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)',
'^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>',
'^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?:
(?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^User <F-USER>.+</F-USER> from <HOST> not allowed because not
listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^User <F-USER>.+</F-USER> from <HOST> not allowed because listed
in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^User <F-USER>.+</F-USER> from <HOST> not allowed because not in
any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^refused connect from \\S+ \\(<HOST>\\)',
'^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?:
(?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on
\\S+|\\[preauth\\])){0,3}\\s*$',
'^User <F-USER>.+</F-USER> from <HOST> not allowed because a group
is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
"^User <F-USER>.+</F-USER> from <HOST> not allowed because none of
user's groups are listed in AllowGroups(?: (?:port \\d+|on
\\S+|\\[preauth\\])){0,3}\\s*$",
'^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication
failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?:
(?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^(error: )?maximum authentication attempts exceeded for
<F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?:
ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$',
'^User <F-USER>.+</F-USER> not allowed because account is locked(?:
(?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*',
'^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?:
(?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port
\\d+|on \\S+)){0,2}:\\s*Change of username or service not
allowed:\\s*.*\\[preauth\\]\\s*$',
'^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication
failures(?: for <F-USER>.+?</F-USER>)?(?: (?:port \\d+|on
\\S+|\\[preauth\\])){0,3}\\s*$',
'^<F-NOFAIL>Received
<F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port
\\d+|on \\S+)){0,2}:\\s*11:',
'^<F-NOFAIL><F-MLFFORGET>(Connection
closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?:
(?:invalid|authenticating) user <F-USER>\\S+|.+?</F-USER>)? <HOST>(?:(?:
(?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$',
'^<F-MLFFORGET><F-MLFGAINED>Accepted
\\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from
<HOST>(?:\\s|$)',
'^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+',
'_COMM=sshd']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'maxmatches', 5]
['set', 'sshd', 'findtime', '10m']
['set', 'sshd', 'bantime', '1h']
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'addaction', 'firewallcmd-rich-rules']
[ 'multi-set',
'sshd',
'action',
'firewallcmd-rich-rules',
[['actionstart', ''], ['actionstop', ''], ['actioncheck', ''],
['actionban', 'ports="ssh"; for p in $(echo $ports | tr ", " " "); do
firewall-cmd --add-rich-rule="rule family=\'<family>\' source
address=\'<ip>\' port port=\'$p\' protocol=\'tcp\' reject
type=\'<rejecttype>\'"; done'], ['actionunban', 'ports="ssh"; for p in
$(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule
family=\'<family>\' source address=\'<ip>\' port port=\'$p\'
protocol=\'tcp\' reject type=\'<rejecttype>\'"; done'], ['actiontype',
'<multiport>'], ['name', 'sshd'], ['port', 'ssh'], ['protocol', 'tcp'],
['chain', '<known/chain>'], ['actname', 'firewallcmd-rich-rules'],
['family', 'ipv4'], ['zone', 'public'], ['service', 'ssh'],
['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT
--reject-with <rejecttype>'], ['rich-blocktype', "reject
type='<rejecttype>'"], ['family?family=inet6', 'ipv6'],
['rejecttype?family=inet6', 'icmp6-port-unreachable']]]
['start', 'sshd']
...any insight as to why it's not actually banning?
Peter
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
